Qubes Security Bulletin 112 addresses the Floating Point Divider State Sampling vulnerability, also tracked as XSA-488 or CVE-2025-54505, which could let attackers infer data from isolated virtual environments. The flaw specifically targets older AMD processors built on the Zen or Zen Plus microarchitecture, while newer chips and competing brands remain unaffected. Once the packages reach the stable repository, Qubes 4.2 and 4.3 users can install them via the regular update interface. A full system restart is required for the changes to take effect, and Anti Evil Maid owners must also reseal their passphrases since PCR values will shift.

QSB-112: Floating Point Divider State Sampling (XSA-488)

QSB-112: Floating Point Divider State Sampling (XSA-488)

We have published Qubes Security Bulletin (QSB) 112: Floating Point Divider State Sampling (XSA-488). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.

Qubes Security Bulletin 112


---===[ Qubes Security Bulletin 112 ]===---

2026-04-18

Floating Point Divider State Sampling (XSA-488)

User action
------------

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.

Summary
--------

On 2026-04-17, the Xen Project published XSA-488, "x86: Floating Point
Divider State Sampling" (CVE-2025-54505) [3]:
| Researchers from the CISPA Helmholtz Center for Information Security
| have discovered Floating Point Divider State Sampling. It is detailed
| in a paper titled "TREVEX: A Black-Box Detection Framework For
| Data-Flow Transient Execution Vulnerabilities"
|
| For more information, see:
| https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html
| https://roots.ec/blog/fpdss/

Impact
-------

An attacker might be able to infer data belonging to other contexts,
including data belonging to other qubes.

Affected systems
-----------------

Only AMD CPUs with the Zen or Zen+ microarchitecture (Family 17h) are
believed to be affected. Other AMD CPUs (including later Zen
generations) and CPUs from other manufacturers are not believed to be
affected.

Patching
---------

The following packages contain security updates that address the
vulnerabilities described in this bulletin:

For Qubes 4.2, in dom0:
- Xen packages, version 4.17.6-4
For Qubes 4.3, in dom0:
- Xen packages, version 4.19.4-7

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages should be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.

Credits
--------

See the original Xen Security Advisory and linked publications.

References
-----------

[1] https://doc.qubes-os.org/en/latest/user/how-to-guides/how-to-update.html
[2] https://doc.qubes-os.org/en/latest/user/downloading-installing-upgrading/testing.html
[3] https://xenbits.xen.org/xsa/advisory-488.html

The Qubes Security Team
https://www.qubes-os.org/security/



Source: qsb-112-2026.txt

Marek Marczykowski-Górecki’s PGP signature